CVE-2026-49093
Server-Side Request Forgery in Kibana
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | kibana | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Request Forgery (SSRF) issue in Kibana. It allows an authenticated user who has connector management privileges to bypass the operator-configured connector allowlist. As a result, the Kibana server can be tricked into making outbound requests to destinations that the egress controls were designed to block.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with certain privileges can cause the Kibana server to send requests to unauthorized external destinations. This could potentially expose internal resources or data to unintended parties or allow attackers to interact with internal services that should be protected by egress controls.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps include upgrading Kibana to version 9.3.3 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, restrict connector management privileges to trusted users only, to reduce the risk of exploitation.
Additionally, review and tighten the `xpack.actions.allowedHosts` setting to ensure it does not use the default wildcard ["*"] and properly restricts outbound destinations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Server-Side Request Forgery vulnerability in Kibana directly impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized outbound requests from the Kibana server to destinations that should be blocked by egress controls.
Since the vulnerability allows an authenticated user with connector management privileges to bypass the configured allowlist, you can look for unusual outbound network traffic originating from Kibana, especially to hosts not included in the `xpack.actions.allowedHosts` setting.
Commands to help detect such activity might include network monitoring tools or firewall logs inspection. For example, on a Linux system, you could use:
- tcpdump -i <interface> host <kibana_server_ip> and not net <allowed_networks>
- netstat -anp | grep kibana
- Review Kibana logs for connector management activity and any outbound request logs.